[wasm] Fix heap type clusterfuzz issue

Also shuffle HeapType helper functionality a bit Bug: chromium:1101629, v8:7748 Change-Id: I7c27dc96f02173c73dbac7b518e7936e4e0d5bf3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2275965Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/master@{#68659}

[wasm] Fix heap type clusterfuzz issue
Also shuffle HeapType helper functionality a bit Bug: chromium:1101629, v8:7748 Change-Id: I7c27dc96f02173c73dbac7b518e7936e4e0d5bf3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2275965Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/master@{#68659}
7c6ff8b1 · Manos Koukoutos · Commit Bot · a7115749 · 7c6ff8b1 · 7c6ff8b1
Commit 7c6ff8b1 authored Jul 02, 2020 by Manos Koukoutos Committed by Commit Bot Jul 02, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

function-body-decoder-impl.h src/wasm/function-body-decoder-impl.h +6 -1

value-type.h src/wasm/value-type.h +6 -4

No files found.
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -163,8 +163,9 @@ HeapType read_heap_type(Decoder* decoder, const byte* pc,
        return result;
      }
      default:
-        if (validate)
+        if (validate) {
          decoder->errorf(pc, "Unknown heap type %" PRId64, heap_index);
+        }
        return HeapType(HeapType::kBottom);
    }
    UNREACHABLE();
@@ -1432,6 +1433,10 @@ class WasmDecoder : public Decoder {
  }

  inline bool Validate(const byte* pc, HeapTypeImmediate<validate>& imm) {
+    if (!VALIDATE(!imm.type.is_bottom())) {
+      error(pc, "invalid heap type");
+      return false;
+    }
    if (!VALIDATE(imm.type.is_generic() ||
                  module_->has_array(imm.type.ref_index()) ||
                  module_->has_struct(imm.type.ref_index()))) {

--- a/src/wasm/value-type.h
+++ b/src/wasm/value-type.h
@@ -78,7 +78,7 @@ class HeapType {
  }

  explicit constexpr HeapType(Representation repr) : representation_(repr) {
-    CONSTEXPR_DCHECK(is_valid());
+    CONSTEXPR_DCHECK(is_bottom() || is_valid());
  }
  explicit constexpr HeapType(uint32_t repr)
      : HeapType(static_cast<Representation>(repr)) {}
@@ -97,10 +97,10 @@ class HeapType {
  }

  constexpr bool is_generic() const {
-    return representation_ >= kFirstSentinel;
+    return !is_bottom() && representation_ >= kFirstSentinel;
  }

-  constexpr bool is_index() const { return !is_generic(); }
+  constexpr bool is_index() const { return !is_bottom() && !is_generic(); }

  constexpr bool is_bottom() const { return representation_ == kBottom; }

@@ -144,7 +144,9 @@ class HeapType {
 private:
  friend class ValueType;
  Representation representation_;
-  constexpr bool is_valid() const { return representation_ <= kLastSentinel; }
+  constexpr bool is_valid() const {
+    return !is_bottom() && representation_ <= kLastSentinel;
+  }
 };
 enum Nullability : bool { kNonNullable, kNullable };